How Secure Cloud Analytics Works – Cisco Cloud Security

How Secure Cloud Analytics Works

The deployment and working of Secure Cloud Analytics is described in the following sections.

Deployment

Secure Cloud Analytics supports two deployment types to support your network:

• Public cloud monitoring: Agent-less monitoring of workloads by ingesting native cloud logs, and API integration to deliver threat detection and configuration monitoring.

• Private cloud monitoring: Virtual Cisco Secure Cloud Analytics sensor deployment to ingest network flow data, SPAN/mirror port traffic, and NGFW log information. (In this book, we only focus on public cloud monitoring.)

You can deploy either or both at the same time and review the configuration and alerts from both in a single Secure Cloud Analytics web portal UI. The web portal displays all sensors and monitored cloud deployments from the same page, so you can quickly review the state of your monitoring.

Dynamic Entity Modeling

Secure Cloud Analytics uses dynamic entity modeling to track the state of your network. In the context of Secure Cloud Analytics, an entity is something that can be tracked over time, such as a host or endpoint on your network, or a Lambda function in your AWS deployment. Dynamic entity modeling gathers information about entities based on the traffic they transmit and activities they perform on your network. Secure Cloud Analytics can ingest native cloud log data and industry-standard telemetry as well as user cloud provider APIs to identify entities and the types of traffic entities usually transmit. Secure Cloud Analytics updates these models over time, as the entities continue to send traffic, and potentially send different traffic, to keep an up-to-date model of each entity. Figure 8-36 illustrates the interaction between various cloud-native security functions.


Figure 8-36 Interaction between various cloud-native security functions

From this information, Secure Cloud Analytics identifies the following:

• The roles for the entity, which are descriptors of what the entity usually does. For example, if an entity sends traffic that is generally associated with email servers, Secure Cloud Analytics assigns the entity an Email Server role. The role/entity relationship can be many-to-one, as entities may perform multiple roles.

• Observations for the entity, which are facts about the entity’s behavior on the network, such as a heartbeat connection with an external IP address, an interaction with an entity on a watchlist, or a remote access session established with another entity. Observations on their own do not carry meaning beyond the fact of what they represent. A typical customer may have many thousands of observations and a few alerts.

Leave a Comment